AES and Attacks on Cryptographic Hashes

John Manferdelli
jlm@cs.washington.edu
jmanfer@microsoft.com

Portions © 2004-2005, John Manferdelli.

This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability
for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

JLM 20060212 14:16 1

 AES History
• Call for DES successor 1/97
• Square begets Rijndael (1998)
– Rijndael Designers: Vincent Rijmen and Joan Daemen
• Nine Submissions
– CAST-256, CRYPTON, DEAL, DFC (cipher), E2, FROG, HPC,
LOKI97, MAGENTA, MARS, RC6, Rijndael, SAFER+, Serpent, and
Twofish.
• Finalists
– MARS, RC6, Rijndael, Serpent, and Twofish
• FIPS 197 published 11/2001

JLM 20060212 14:16 2

 AES
Key

Key Schedule
Plaintext
k1

k2

r Rounds

kr

Ciphertext
JLM 20060212 14:16 3
 AES Requirements
• 128, 192, 256 bit keys
• Algorithms will be judged on the following factors:
– Actual security of the algorithm compared to other submitted algorithms
(at the same key and block size).
– The extent to which the algorithm output is indistinguishable from a
random permutation on the input block.
– Soundness of the mathematical basis for the algorithm’s security.
– Other security factors raised by the public during the evaluation
process, including any attacks which demonstrate that the actual
security of the algorithm is less than the strength claimed by the
submitter.

– Claimed attacks will be evaluated for practicality.

• Key agility (NSA): “Two blocks encrypted with two different keys
should not take much more time than two blocks encrypted with the
same key.
JLM 20060212 14:16 4
 Mars (Multiplication, Addition, Rotation
and Substitution)

Basic Structure

1. Whiten
2. 8 rounds of key independent mixing
3. 16 rounds of keyed Feistel transforms (2 S-boxes)
4. 8 rounds of key independent mixing
5. Whiten

JLM 20060212 14:16 5

 RC6 Design Philosophy

• Leverage our experience with RC5: use data-

dependent rotations to achieve a high level of
security.
• Adapt RC5 to meet AES requirements
• Take advantage of a new primitive for increased
security and efficiency: 32x32 multiplication, which
executes quickly on modern processors, to compute
rotation amounts.

Slide by Ron Rivest (Second AES Conference)

JLM 20060212 14:16 6

 Security against differential attacks

Estimate of number of plaintext pairs required to mount a

differential attack.
(Only 2128 such pairs are available.)
Rounds Pairs
8 256
12 2117
16 2190
20 RC6 2238 Infeasible

24 2299 Slide by Ron Rivest (Second

AES Conference)
JLM 20060212 14:16 7
 Rijndael Overview

• Input
• p consisting of Nb words
• k with Nk words (Nk= 4,6,8)
• State
• 4 rows, Nb columns
• Key
• 4 rows, Nk columns
• Output
• c consisting of Nb words

All tables filled first col first s0,0, s1,0, s2,0, s3,0, s0,1, …

JLM 20060212 14:16 8

 Rijndael Overview

• Design Philosophy
• Wide Trails
• 32 bit word operations
• Non-linear substitution uses arithmetic over GF(2)
• Mixing uses polynomial arithmetic mod (x4+1)

JLM 20060212 14:16 9

 Rijndael Round Structure

Nr= max(Nk, Nb)+6

Nr Nb=4 Nb= 6 Nb=8

Nk=4 10 12 14

Nk=6 12 12 14

Nk=8 14 14 14

JLM 20060212 14:16 10

 Rijndael State Layout
State: si,j, i= Nb (mod 4), j= [Nb/4], Nb=4j+i

For Nb= 4

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3

JLM 20060212 14:16 11

 Rijndael Key Layout
Keys: ki,j, i= Nk (mod 4), j= [Nk/4]

For Nk= 4

k0,0 k0,1 k0,2 k0,3

k1,0 k1,1 k1,2 k1,3
k2,0 k2,1 k2,2 k2,3
k3,0 k3,1 k3,2 k3,3

JLM 20060212 14:16 12

 Rijndael Algorithm

Rijndael (p, k, Nb, Nk) {

ComputeRoundKeys(K, W[0…Nr])
state= p
AddRoundKey(0, state)
for (i=1, i<=Nr, i++) {
for each byte, b in state
ByteSub(b)
ShiftRow(state)
if(i<Nr)
MixCol(state)
AddRoundKey(i, state)
}
c= state
}
JLM 20060212 14:16 13
 Inverse Rijndael Algorithm
InvRijndael (c, k, Nb, Nk) {
ComputeRoundKeys(K, W[0…Nr])
state= c
for (i=0, i<Nr, i++) {
AddRoundKey(Nr-i, state)
if(i>0)
InvMixCol(state)
InvShiftRow(state)
for each byte, b in state
InvByteSub(b)
}
AddRoundKey(0, state)
p= state
}

JLM 20060212 14:16 14

 Review: Arithmetic of GF(2n)

• Suppose m(x) is an irreducible polynomial of degree n over GF(2): m(x)= xn

+ mn-1 xn-1 + … + m0.
• Let a(x) and b(x) be polynomials of degree <n. They form a vector space of
dimension n over GF(2). Coefficients of like exponent “add”: (an-1 xn-1 + … +
a0)+ (bn-1 xn-1 + … + b0)= (an-1+ bn-1)xn-1 + … + a0 + b0)
• Euclidean algorithm: for a(x), b(x) polynomials of degrees mcn, there are
polynomials q(x), r(x), deg r(x) <n such that a(x)=q(x)b(x)+r(x)
• Polynomials over GF(2) modulo m(x) form a field (with 2n elements).
Multiplication is multiplication of polynomials mod m(x).
• Inverses exist by following theorem: If a(x) and b(x) are polynomials their
greatest common denominator d(x) can be written as
d(x)= a(x)u(x)+b(x)v(x) for some u(x), v(x).

JLM 20060212 14:16 15

 Example of multiplication and inverse

• In particular if a(x) and b(x) are co-prime: 1= a(x)u(x)+b(x)v(x) for

some u(x), v(x).
• Example
– m(x)= x2 +x +1. m(x) is irreducible (otherwise it would have a root in
GF(2)
– x+(x+1) =1, 1+(x+1)= x
– (x+1)(x+1)= x2+2x+1=x2+1= (x) + (x2 +x +1)= x (mod m(x))
– (x+1) and m(x) are co-prime in fact,
1= (x+1) (x) + (x2 +x +1)(1)
– So “x” is the multiplicative inverse of “x+1” in GF(4).
– Usually elements of GF(2n) are written in place notation so x5+x3 +x2 +1=
101101.

JLM 20060212 14:16 16

 ByteSub Primitive

ByteSub(b)
if b==0
t= 0
else
t= b-1
return(Mt + a)

M= circ(1,0,0,0,1,1,1,1)
a= (1,1,0,0,0,1,1,0)T
Arithmetic over GF(2) with m(x)= x8+x4+x3+x+1.

JLM 20060212 14:16 17

 ByteSub Data
M: a:
1 0 0 0 1 1 1 1 1
1 1 0 0 0 1 1 1 1
1 1 1 0 0 0 1 1 0
1 1 1 1 0 0 0 1 0
1 1 1 1 1 0 0 0 0
0 1 1 1 1 1 0 0 1
0 0 1 1 1 1 1 0
1
0 0 0 1 1 1 1 1
0

JLM 20060212 14:16 18

 Bytesub

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3

t0,0 t0,1 t0,2 t0,3

t1,0 t1,1 t1,2 t1,3
t2,0 t2,1 t2,2 t2,3
t3,0 t3,1 t3,2 t3,3
JLM 20060212 14:16 19
 Rijndael Primitives
ShiftRow(state)
shift row 1 by 0.
shift row 2 by 1.
shift row 3 by 2 if Nb<8, 3 otherwise.
shift row 3 by 3 if Nb<8, 4 otherwise.

MixCol(state)
multiply each column of state by c(x) (mod x4 +1)
c(x)= 0x03 x3 + 0x01 x2 + 0x01 x + 0x02

InvMixCol(state)
multiply each column of state by d(x) (mod x4 +1)
d(x)= 0x0b x3 + 0x0d x2 + 0x09 x + 0x0e

AddRoundKey(i,state)
state= state + W[i]
JLM 20060212 14:16 20
 ShiftRow

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3
s2,0 s2,1 s2,2 s2,3
s3,0 s3,1 s3,2 s3,3

s0,0 s0,1 s0,2 s0,3

s1,3 s1,0 s1,1 s1,2
s2,2 s2,3 s2,0 s2,1
JLM 20060212 14:16
s3,3 s3,0 s3,1 s3,2 21
 MixCol
s0,0 s0,1 s0,3 s0,3
s1,0 s1,1 s1,3 s1,3
s2,0 s2,1 s2,3 s2,3
s3,0 s3,1 s3,3 s3,3
t0,0x3+t1,0x2+t2,0x+t3,0=
(0x03x3+0x01x2+0x01x+0x02) x (s0,0x3+s1,0x2+s2,0x+s3,0)(mod x4+1)

t0,0 s0,1 s0,3 s0,3

t1,0 s1,1 s1,3 s1,3
t2,0 s2,1 s2,3 s2,3
t3,0 s3,1 s3,3 s3,3
JLM 20060212 14:16 22
 RoundKeys
ComputeRoundKeys(K[4*Nk], W[Nb*(Nr+1)]) {
for(i=0; i<Nk; i++)
W[i]= (K[4i], K[4i+1], K[4i+2], K[4i+3])
for(i=Nk; i<Nb*Nr+1); i++) {
t= W[i-1]
if((i mod Nk)==0)
t= SubByte(RotByte(t)) + RCon(i/Nk)
else if(Nk>6 && (i mod Nk)==0)
t=SubByte(t)
W[i]= W[i-Nk] + t
}
}

JLM 20060212 14:16 23

 RoundKeys Primitives

SubByte(w= (a,b,c,d)))
w= (ByteSub(a), ByteSub(b), ByteSub(c), ByteSub(d))
return(w)

RotByte(w= (a,b,c,d))
w= (b,c,d,a)
return(w)

RCon[i]= (RC[i], 0x00, 0x00, 0x00);

RC[1]= 0x01
RC[i+1]= RC[i]*”0x2” [multiply by “x”]

JLM 20060212 14:16 24

 AES Finalist Bakeoff

MARS RC6 Rijndael Serpent Twofish

(AES)
General Security 3 2 2 3 3

Implementation 1 1 3 3 2

SW Perf 2 2 3 1 1

Smart Card Perf 1 1 3 3 2

HW Perf 1 2 3 3 2

Design features 2 1 2 1 3

Score: 1 (low) to 3 (high). From NIST report 2 Oct 2000.

JLM 20060212 14:16 25
 Algebraic Attacks - Preview

• XSL, Courtois, Pieprzyk, Murphy, Robshaw

1. Generate equations of higher degree than the original equations by
multiplying equation of an active S-box by passive S-box equations
2. Solve the equations in the formal terms of the equations
• Estimate of linearly independent equations is necessary
• Claim that solving the equations for AES was possible because the
estimated number of linearly independent equations was adequate
generated excitement.
• Coppersmith cast doubt on the number of linearly independent
equations.

JLM 20060212 14:16 26

 Stream Ciphers

• Synchronous stream ciphers

– The keystream is generated independently of the
plaintext and the ciphertext
– Using Keyed PRNG
• Asynchronous stream ciphers
– The keystream is generated as a function of the
key, K, and at most t previous ciphertext symbols.

JLM 20060212 14:16 27

 Stream Cipher Encryption and PRNGs

Plaintext:

PRNG(seed):

Ciphertext:

Encryption Equation: cj=pj ⊕kj

JLM 20060212 14:16 28

 Synchronous Stream using Linear
Feedback Shift Register (LFSR)

...

a0 a1 ... aL-2 aL-1

st st+1 ... st+L–2 st+L–1

ai, sj ∈ Fq
Recurrence: sj+L= S j=0, 1 … L-1 aj sj+L-1

Polynomial: f(x)= S j=0, 1 … L-1 aj xj -xL

JLM 20060212 14:16 29

 LFSR-based keystream generator

• Nonlinear combination generators

• Nonlinear filter generators

JLM 20060212 14:16 30

 RC4

Initialization Iteration
S[0..255] = 0,1,…,255 i = (i + 1) mod 256
K[0..255] = Key,Key,Key,… j = (j + S[i]) mod 256
for i = 0 to 255 swap S[i] and S[j]
j = (j + S[i] + K[i]) mod 256 t = (S[i] + S[j]) mod 256
swap S[i] and S[j] Output S[t]
i=j= 0

JLM 20060212 14:16 31

 RC-4 Facts
• RC4 implements a permutation of the 2N, N=2n, where n=8 is word size.

• RC4 cannot enter states s: i= a, j=a+1, S[a+1]=1. There are N-2 of these.

• Notation
• Sr, ir, jr and tr denote the RC4 state during initialization after using key
words [0, 1, …, r].
• I(S), J(S), T(S), Z(S) are the state indicies, output index and first
output word of RC4 (i.e.- just after initialization is complete).
• T(S)=S[1]+S[S[1]], Z(S)= S[T(S)].
• Key is l-words long

• References
• Fluhrer, Mantin and Shamir. Attacks on RC4 and WEP.
• Mantin, Master’s Thesis.

JLM 20060212 14:16 32

 Attacks on RC4 and FSRs

• Simple xor attack on stream without MAC or how to

swindle your bank.

• Reproduce internal state

• Solve for “taps”
• Look for short cycles

• Alleged RC4 resists these.

– RC4 is a good stream cipher if you throw away first bunch of
bytes

JLM 20060212 14:16 33

 Bias in Second Byte of RC4

Let Si be the state at time i and let <zi> be the output sequence.

Theorem: P(z2=0)= 2/N. (roughly twice what we expect from a random

cipher)

Proof: Suppose S0[2]=0, S0[1] =X∫ 2, S0[X]= Y.

Round 1:
i=1, X=S0[1]+0. Exchange S0[1] and S0[Y].
Round 2:
i=2, j= X+S1[2]=X. Output S1[S1[2]+S1[X]]= S1[X]= 0.
So P(zj = 0) ~ 1/N + 1/N (1-1/N) ~ 2/n.

By Bayes, if z2= 0, we can extract byte of state with probability 1/2.

JLM 20060212 14:16 34

 Cryptographic Hashes

A cryptographic hash (“CH”) is a “one way function,” h, from all binary

strings (of arbitrary length) into a fixed block of size n (called the size
of the hash) with the following properties:
1. Given y=h(x) it is infeasible to calculate a x’ ∫x such that y=h(x’).
(“One way,” “non-invertibility” or “pre-image” resistance). Functions
satisfying this condition are called One Way Hash Functions (OWHF)
2. Given u, it is infeasible to find w such that h(u)=h(w). (weak collision
resistance, 2nd pre-image resistance).
3. It is infeasible to find u, w such that h(u)=h(w). (strong collision
resistance). Note 3!2. Functions satisfying this condition are called
Collision Resistant Functions (CRFs).

• Just like Symmetric ciphers ratio of work factor for computation of

hash vs work factor to break hash should be very high.
• Adversary has complete information on computing hash and
(obviously) can compute as many hashes from the target as she
wants.

JLM 20060212 14:16 35

 Observations on Cryptographic Hashes

• Hashes are a strong “checksum”

• OWHF and CRF conditions make CHs satisfy many of the properties
of “random functions”
– Small changes should create large changes (otherwise the pre-
image of near neighbors are near neighbors making collisions easy
to find)
– Small input changes should be statistically unrelated (uncorrelated)
to changes in a subset of the hash bits
– Analysis of CHs very similar to Symmetric Cipher techniques
Popular practical cryptographic hashes
– MD4, MD5 (now “broken”)
– SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 (last 4 are “SHA-2”)
– RIPEMD

JLM 20060212 14:16 36

 Observations

• Collision Resistance ! 2nd pre-image resistance

• Let f(x)= x2-1 (mod p).
– f(x) acts like a random function but is not a OWHF since square
roots are easy to calculate mod p.
• Let f(x)= x2 (mod pq).
– f(x) is a OWHF but is neither collision nor 2nd pre-image resistant
• If either h1(x) or h2(x) is a CRHF so is h(x)= h1(x) || h2(x)
• MDC+signature & MAC+unknown Key require all three
propertie

JLM 20060212 14:16 37

 What are Hash Functions Good for?

• Modification Detection Codes (MDCs): This is a strong

checksum (integrity check). Sometimes called “unkeyed”
hashes.

• Message Authentication Code (MACs): If shared secret is

part of the hash, two parties can determine authenticated
integrity with CHs. Called “keyed hashes”.

• Message Digests (MDs): Encrypting (with private key) the

CH of a message (its MD) acts as a certification that the
message was “approved” by possessor of private key. This
is called a Digital Signature. [Note: you could “sign’ the
whole message rather than the hash but this would take
oodles of time by comparison.]

JLM 20060212 14:16 38

 What are Hash Functions Good for?

• Identity: Uniquely and securely identifies bit streams like

programs. Hash is strong name for program.
• Entropy mixing: Since CHs are random functions into fixed
size blocks with the properties of random functions, they are
often used to “mix” biased input to produce a “seed” for a
psuedo-random number generator.
• Password Protection: Store salted hash of password instead
of password (Needham).
• Bit Commitment

JLM 20060212 14:16 39

 One-Way Functions

Hashes come from two basic classes of one-way functions

– Mathematical
• Multiplication: Z=X•Y
• Modular Exponentiation: Z = YX (mod n) (Chaum vP
Hash)
– Ad-hoc (Symmetric cipher-like constructions)
• Custom Hash functions (MD4, SHA, MD5, RIPEMD)

JLM 20060212 14:16 40

 Chaum-vanHeijst-Pfitzmann
Compression Function

• Suppose p is prime, q=(p-1)/2 is prime, a is a primitive root in Fp, b is

random.
• g: {1,2,…,q-1}2 ! {1,2,…,p-1}, q=(p-1)/2 by:
– g(s, t) = as bt (mod p)
• Not used in practice: too slow.
• Reduction to discrete log:
Suppose g(s, t)= g(u, v) can be found. Then as bt (mod p)= au bv (mod p).
So as-u (mod p)= bv-t (mod p). Let b= ax (mod p). Then (s-u)=x(y-t) (mod p-1).
But p-1= 2q so we can solve for x, thus determining the discrete log of b.

JLM 20060212 14:16 41

 Merkle/Damgard Construction

Hi-1 Padded n bit blocks

Input: x=x1||…||xt
Input is usually padded

H0= IV
Hi= f(Hi-1, xi)
Compression h(x)= g(ht)
Function (f)

Hash Value

Graphic by Josh Benaloh

JLM 20060212 14:16 42

 Padding
• Standard technique
– Let last message block have k bits. If k=n, make a new
block and set k= 0.
– Append a 1 to last block leaving r=n-k-1 remaining bits
in block.
– If r>=64, append r-64 0s then append bit length of
input expressed as 64 bit unsigned integer
– If r<64, append n-r 0’s (to fill out block), append n-64
0’s at beginning of next block then append bit length of
input expressed as 64 bit unsigned integer

JLM 20060212 14:16 43

 Technique for CHs from Block Ciphers

Let input be x= x1 || x2 || … || xt where each xi is n bits long. Let g be a

function taking an n bit input to an m bit input. Let E(k, x) be a
block cipher with m bit keyspace and n bit block. Let H0= IV.

Construction 1
Hi= E(g(Hi-1), xi) ⊕ Hi-1

Construction 2
Hi= E(xi, Hi-1) ⊕ Hi-1

Construction 3
Hi= E(g(Hi-1), xi) ⊕ xi ⊕ Hi-1

Note: Because of collisions n should be >64. Ideally, m=n and g= id.

DES with n= 64 is too small. AES with n=m=128 is better.

JLM 20060212 14:16 44

 Attacks on Cryptographic Hashes

• Birthday (Yuval) attacks

– Probability of collision determined by “Birthday Paradox” calculation:
• (1- 1/n) (1- 2/n) … (1-(k-1)/n)= (n!/k!)/nk
• Probability of collision is >.5 when k2 > n.
• Need 280 blocks for SHA.
• 1+x c ex, Pi=1i=k (1-i/n) c e-k(k-1)/(2n)
• Dobbertin Attacks on MD4
– Collision attack based on compression function weakness
• Biham, Chen, Chabaud, Joux, Wang et al, Differential attacks on
RIPEMD-128, HAVAL, MD4, MD5, SHA-0, SHA-1

JLM 20060212 14:16 45

 Attacks on Cryptographic Hashes
• Berson (1992) using differential cryptanalysis on 1 round MD-5.
• Boer and Bosselaers (1993), Pseudo collision in MD5.
• Dobbertin (1996), Collisions in compression function. Attacks inspired
RIPEMD proposal.
• Biham and Chen (2004), Collisions in SHA-0.
• Chabaud and Joux (2004), Collisions in SHA-0 .
• Wang, Feng, Lai, Yu, (2004), MD4, MD5, RIPEMD
• Wang et al, (2004, 2005), SHA-1

• SHA-1 has stood up best: best known theoretical attack (11/05) requires
264 operations.

JLM 20060212 14:16 46

 Prefix attacks, and HMACs

• Prefix and suffix attacks

– Hash(m1||m2)= Hash(m2), if internal state collides
– To fix: hDBL(h(m)||m)
• HMAC: keyed-hash message authentication code
• Two popular constructions
– HMACK(x)= Hash(k|p|m|k), p is a pad
– HMACK(x)= SHA-1(K⊕opad || SHA-1(K ⊕ipad )||x)

JLM 20060212 14:16 47

 A Cryptographic Hash: SHA-1

512-bit input
160 bits of state

Compression
Function

Slide by Josh Benaloh

160-bit state
JLM 20060212 14:16 48
 SHA-0/1 Absence of this term is only
difference between SHA-0 and SHA-1

A= 0x67452301, B= 0xefcdab89, Do until no more input blocks {

C= 0x98badcfe, D= 0x10325476 If last input block
E= 0xc3d2e1f0 Pad to 512 bits by adding 1
then 0s then 64 bits of
Ft(X,Y,Z)= (X∧Y)∨((¬X)∧Z), length.
t= 0,…,19 Mi= input block(32 bits)
Ft(X,Y,Z)= X⊕Y⊕Z, i= 0,…,15
t= 20,…,39 Wt= Mt, t= 0,…,15;
Ft(X,Y,Z)= (X∧Y)∨(X∧Z)∨(Y∧Z), Wt= (Wt-3⊕Wt-8⊕Wt-14⊕Wt-16) <<<1,
t= 40,…,59 t= 16,…,79
Ft(X,Y,Z)= X⊕Y⊕Z, t= 60,…,79 a= A; b= B; c= C; d= D; e= E;
for(t=0 to 79) {
Kt= 0x5a827999, t= 0,…,19 x= (a<<<5)+ft(b,c,d)+e+Wt+Kt
Kt= 0x6ed9eba1, t=20,…,39 e= d; d=c; c= b<<<30;
Kt= 0x8f1bbcdc, t= 40,…,59 b=a; a= x;
Kt= 0xca62c1d6, t=60,…,79 }
A+= a; B+=b; C+= c; D+= d; E+= e;
JLM 20060212 14:16 } 49
 A Cryptographic Hash: SHA-1

Picture from Wikipedia

JLM 20060212 14:16 50

 A Cryptographic Hash: SHA-1

Depending on the round, the “non-linear” function f is

one of the following.

f(X,Y,Z) = (X∧Y) ∨ ((¬X)∧Z)

f(X,Y,Z) = (X∧Y) ∨ (X∧Z) ∨ (Y∧Z)
f(X,Y,Z) = X ⊕ Y ⊕ Z

JLM 20060212 14:16 51

 A Cryptographic Hash: SHA-1

What’s in the final 32-bit transform?

• Take the rightmost word.
• Add in the leftmost word rotated 5 bits.
• Add in a round-dependent function f of the middle
three words.
• Add in a round-dependent constant.
• Add in a portion of the 512-bit message.

JLM 20060212 14:16 52

 Breaking news on “Chinese” Attacks on Hashes

• Don’t use MD4 or you’ll look really really silly.

• Don’t use MD5.
• Don’t use RIPEMD-128
• SHA-1 appears to have collision attacks of the order
264
• Use SHA-2 functions
– Truncate to provide legacy compatibility if you have
to (i.e. – gun to head)
– Required by “Suite B” Standards

JLM 20060212 14:16 53

 SHA-2
• FIPS 180-2, 8/02.
– Defines SHA-256, SHA-384, SHA-512.
– SHA-224 (truncated) added 2/04
• Great increase in mixing between bits of the words
compared to SHA-1.
• US Patent 6,829,355
• Inventor: Glenn Lilly
• Assignee: NSA
• Can obtain source from
– http://en.wikipedia.org/wiki/SHA-2

JLM 20060212 14:16 54

 Other Cryptographic Hashes and
Performance

Hash Name Block Size Relative Speed

MD4 128 1

MD5 128 .68

RIPEMD-128 128 .39

SHA-1 160 .28

RIPEMD-160 160 .24

JLM 20060212 14:16 55

 What to take home
• Symmetric ciphers and hashes provide key ingredients for
“distributed security”
– Fast data transformation to provide confidentiality
– Integrity
– Public key crypto provides critical third component (trust negotiation, key
distribution)
• It’s important to know properties of cryptographic primitives and how
likely possible attacks are, etc.
– Most modern ciphers are designed so that knowing output of n-1
messages provides no useful information about nth message.
– This has an effect on some modes of operation.

JLM 20060212 14:16 56

 General Modern References
Blake, Seroussi, and Smart, Elliptic Curves in Cryptography, Cambridge
Bressoud and Wagon, Computational Number Theory. Key Press.
Bach and Shallit, Algorithmic Number Theory.
Berlekamp, Algebraic Coding Theory. Reprinted by Aegean Park Press.
Biham and Shamir, Differential Cryptanalysis of DES. Springer.
Boneh, Twenty Years of attacks on RSA. Notices AMS.
Buchmann, Introduction to Cryptography. Springer.
Cohen, A Course in Computational Algebraic Number Theory. Springer.
Damgard, Lectures on Data Security. Springer.
Golumb, Shift Register Sequences. Reprinted by Aegean Park Press.
Koblitz, A Course in Number Theory and Cryptography. Springer.
Koblitz, Algebraic Aspects of Cryptography. Springer.
Konheim, Cryptography: A Primer. Wiley.
JLM 20060212 14:16 57
 General Modern References

Landau, DES, AES, Survey article. Notices AMS.

MacWilliams et. al., Theory of Error Correcting Codes. North Holland.
Menezes, van Oorshot, Vanstone, Handbook of Applied Cryptography.
(Online: http://www.cacr.math.uwaterloo.ca/hac/). CRC Press.
Rhee, Cryptography and Secure Communications.
Rivest, Class notes on Security and Crypto online. (web.mit.edu).
Schneier, Applied Cryptography. Wiley.
Simovits, The DES: Documentation and Evaluation. Aegean Park Press.
Stinson, Cryptography: Theory and Practice. CRC Press.
Welch, Codes and Cryptography. Oxford.

Web sites: www.rsa.com, www.counterpane.com, www.iacr.org has loads

of preprints.

JLM 20060212 14:16 58

 Homework 7
1. We saw that a typical round of AES consisted of the following operations:
for each byte, b in state
ByteSub(b)
ShiftRow(state)
if(i<Nr)
MixCol(state)
AddRoundKey(i, state)

For the 128 bit key, 128 bit block size version of Rijndael, using lookup tables
to reduce the computations required and assuming basic operations (32
bit lookup, 32 bit xor, etc) all take about .001 microseconds and your
code/data budget is under 16 MB, design a implementation of the round
operations that is faster than implementing each of the primitive
operations (ByteSub, ShiftRow, MixCol).
How long does each round take (about)?
Counter mode use of AES is used by selecting a nonce (n) and constructing
cipher blocks AESK(n||ctr), AESK(n||ctr+1), AESK(n||ctr+2),…. The
resulting bits are xored into the plaintext (as with the stream cipher).
What properties of AES make this safe? Can the keystream be
generated in parrallel and stored for later use? What performance
properties does this mode have over ECB?

JLM 20060212 14:16 59

 Homework 7
2. Show that f(x)= x2 (mod pq) is a One-Way Function but
is not Collision Resistant, where p and q are prime.
3. Linear Feedback Shift Registers Cryptosystem:
Suppose X is a cryptosystem implemented by a 5
element linear feedback shift register which generates a
psuedo random stream s0, s1, s2, … so
• sn+5= a4 sn+4 ⊕ a3 sn+3 ⊕ a2 sn+2 ⊕ a1 sn+1 ⊕ a0 sn
If the first 10 output bits of the pseudo random generator are
1110100010, what are the next 3 bits? Assume n is the register
length. About how many consecutive bits do you need to break
a LFSR? How does this compare to a stream generator on an n
bit state that is not linear?

JLM 20060212 14:16 60

 Homework 7
4. Given i= 64, j= 245 and S is as stated below, what are
the next 4 bytes of output of RC4? Estimate the speed
of encrypting the next 4 bytes of output of an RC4
cipher on a computer in which assignment addition and
logical AND requires .001 microseconds.

5. Suppose two parties share a secret key k and wish to

communicate a series of “yes/no” answers over a public
channel without disclosing the answers. Design a
protocol to do this using a MAC. Be careful to make
sure the adversary cannot figure out all the answers if
they know whether the “code” for a few of the yes/no
answers.
JLM 20060212 14:16 61
 Homework 7
S[0…127]: S[128…255]:

0x08 0xa5 0xe9 0x09 0x45 0xc0 0xed 0xf1 0x6d 0x15 0xc2 0xab 0x7a 0xa4 0x3f 0x00
0x5d 0xfd 0x34 0xc3 0x4e 0x7b 0x9d 0x96 0x48 0xa3 0xd1 0x4a 0x75 0xb7 0x85 0xd8
0x38 0x76 0x7c 0x49 0x8f 0xd9 0x35 0xcc 0xfb 0xfe 0xf2 0xe6 0x13 0x56 0xec 0xa7
0x99 0xb0 0x2d 0x97 0xe7 0x1d 0xa9 0x16 0x9a 0xe2 0x64 0x53 0x5f 0x65 0xd3 0xc8
0x7d 0x10 0x8c 0x89 0x51 0xa1 0xd7 0x5b 0x68 0x74 0x02 0xdc 0x6f 0x43 0xe1 0x8b
0x3d 0x1c 0x23 0x1e 0xe0 0xb2 0x84 0xa8 0xbf 0xa2 0x2a 0x80 0xbb 0x6a 0x28 0x78
0xc5 0x24 0x86 0xb9 0x07 0xac 0xf0 0x52 0x17 0xf6 0xfc 0x67 0xb3 0x9e 0xcb 0x31
0x32 0x92 0xda 0x06 0xe4 0xd4 0x82 0xd5 0xf9 0xaa 0x9b 0x2b 0xb8 0x1a 0x3e 0xf8
0xdb 0xae 0x04 0x4c 0x36 0xc6 0x19 0x2e 0xd2 0x5c 0x20 0x11 0x4b 0x3b 0x0b 0x6e
0xb4 0x2c 0x69 0xc7 0xce 0x71 0x91 0xa6 0xaf 0xca 0x6b 0x60 0x94 0x5a 0x61 0x27
0xde 0x22 0x59 0xf4 0x54 0x25 0x42 0x0d 0xb5 0x7e 0x4d 0xbe 0x57 0x26 0xcf 0xef
0xff 0x03 0x0a 0x44 0x87 0x37 0x8e 0x12 0xbc 0x40 0x72 0x14 0x83 0x47 0xf7 0x1b
0x30 0x33 0x58 0x3a 0x81 0xf3 0x8d 0x9f 0x79 0x50 0x1f 0x3c 0x5e 0x0f 0xf5 0x62
0xbd 0xc4 0x95 0x73 0x93 0x55 0x41 0xb6 0x6c 0x21 0x70 0x4f 0xeb 0xea 0x98 0xfa
0x90 0x63 0x9c 0x18 0x77 0xdd 0xe3 0xc9 0xba 0x46 0x01 0xcd 0x88 0x0e 0x39 0xc1
0x8a 0xb1 0x7f 0xee 0xe5 0xad 0x05 0xa0 0xd0 0xdf 0x2f 0x0c 0x29 0x66 0xd6 0xe8

JLM 20060212 14:16 62

 Backup

JLM 20060212 14:16 63

 Differential Cryptanalysis: Overview
Let P=(PL, PR), P*=(PL*, PR*) and C= (CL, CR), P ∆ P*
C*= (CL*, CR*) be pairs of inputs and
outputs with prescribed xors
P’= (PL’, PR‘) = (PL, PR) ∆ (PL*, PR*) P’
C’=(CL’, CR‘) = (CL, CR) ∆ (CL*, CR*)
K
∆ ∆
Output xor depends non uniformly on key bits. ==
Let non uniform distribution “vote” on set
containing keys. S-box S-box

Uses chosen plaintext/ciphertext pairs to get C ∆ C*

enough compliant pairs by following the xor
of two plaintexts through rounds of DES.
Examine last round to discover key C’

JLM 20060212 14:16 64

 Differential Profile of single S-box

• For prescribed input and output differences x’, y’ set

Dj(x’,y’)= {u: Sj(u∆x’) ∆ Sj(u)= y’}, then
– Note that u, u∆x’, u∆k, u∆x’∆k will all appear in this set
– k e x ∆ Dj(x’,y’), if x is an input (pre-key) to Si.

• |Dj(x’, y’)| has non uniform distribution.

• For given input difference about 80% of the output
differences are possible.
• p = |Dj(x’, y’)| /2m, m is the dimension of the space of a’..
• Shamir and Biham denote this as x’ Ø y’ , p.

JLM 20060212 14:16 65

 S1 Differential Distribution
S box 1

In 0 1 2 3 4 5 6 7 8 9 a b c d e f
0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4
2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2
3 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0
4 0 0 0 6 0 10 10 6 0 4 6 4 2 8 6 2
5 4 8 6 2 2 4 4 2 0 4 4 0 12 2 4 6
6 0 4 2 4 8 2 6 2 8 4 4 2 4 2 0 12
7 2 4 10 4 0 4 8 4 2 4 8 2 2 2 4 4
8 0 0 0 12 0 8 8 4 0 6 2 8 8 2 2 4
9 10 2 4 0 2 4 6 0 2 2 8 0 10 0 2 12
a 0 8 6 2 2 8 6 0 6 4 6 0 4 0 2 10
b 2 4 0 10 2 2 4 0 2 6 2 6 6 4 2 12
c 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14 2
d 6 6 4 8 4 8 2 6 0 6 4 6 0 2 0 2
e 0 4 8 8 6 6 4 0 6 6 4 0 0 4 0 8
f 2 0 2 4 4 6 4 2 4 8 2 2 2 6 8 8
10 0 0 0 0 0 0 2 14 0 6 6 12 4 6 8 6
11 6 8 2 4 6 4 8 6 4 0 6 6 0 4 0 0
12 0 8 4 2 6 6 4 6 6 4 2 6 6 0 4 0

JLM 20060212 14:16 66

 S1 Differential Distribution: another view
S box 1

D1(00, 0d): 0 found

D1(01, 0d): (0a,0b) (0b,0a) (22,23) (23,22) (3e,3f) (3f,3e) 6 found
D1(02, 0d): (08,0a) (0a,08) (29,2b) (2b,29) (35,37) (37,35) 6 found
D1(03, 0d): (14,17) (17,14) 2 found
D1(04, 0d): (13,17) (17,13) (1b,1f) (1f,1b) (2a,2e) (2e,2a) (3b,3f)
(3f,3b) 8 found
D1(05, 0d): (01,04) (04,01) 2 found
D1(06, 0d): (21,27) (27,21) 2 found
… … …
D1(33, 0d): (07,34) (0d,3e) (1a,29) (29,1a) (34,07)
(3e,0d) 6 found
D1(34, 0d): (06,32) (10,24) (16,22) (1c,28) (22,16)
(24,10) (28,1c) (32,06) 8 found
D1(35, 0d): (00,35) (35,00) 2 found
D1(36, 0d): (02,34) (0d,3b) (34,02) (3b,0d) 4 found

JLM 20060212 14:16 67

 Example: Differential Cryptanalysis of S1
through a single round
Consider input texts and output xors from S1
P1 = 0x01, P1* = 0x35 which produce output xor C1’=0x0d. (So C1’ = 0x34).
P2 = 0x22, P2* = 0x15 which produce output xor C2’=0x03. (So C2’ = 0x34).

Then
D1(0x34, 0xd)= {0x06, 0x10, 0x16, 0x1c, 0x22, 0x24, 0x28, 0x32}.
D1(0x34, 0x3)= {0x01, 0x02, 0x15, 0x21, 0x35, 0x36}.

And
(1) k e P1 ∆ D1(0x34, 0xd)
(2) k e P2 ∆ D1(0x34, 0x3)

(1) reduces the possible key set to {0x07, 0x33, 0x11, 0x25, 0x17, 0x23, 0x1d,
0x29}
(2) reduces the possible key set to {0x20, 0x14, 0x23, 0x17, 0x34, 0x00}.
The intersection (and actual possibilities) are { 0x17, 0x23}

JLM 20060212 14:16 68

 One Round Differential used to analyze 4
round DES

Method
20 00 00 00 00 00 00 00
Use 1 round characteristic to right.
Undo effect of permutation matrix
and solve each S box separately. A’= 0 a’= 0
This allows us to solve for 48 key p=1
∆ F
bits.
This 1 round characteristic will be
used to estimate input xor in
subsequent rounds.
20 00 00 00 00 00 00 00

JLM 20060212 14:16 69

 Differential Cryptanalysis of 4 rounds
L0= 20 00 00 00 R0= 00 00 00 00
• D’=a’ ∆ B’ ∆ L4’
• d’ = R4’ A’ a’
• Because b’=L0’, the output xor ∆ F
of S2, S3, … , S8 in round 2 is
0. This gives 28 bits of B’ and B’ b’
hence 28 bits of D’ is known. ∆ F
• Since B’ is known, we can
calculate D’= B’ ∆L4’ using 4 c’
C’
encrypted pairs for each of the ∆ F
7 relevant S boxes. All key
candidates are in this set D’ d’
which gives 7x6=42 bits of key ∆ F
with high probability.

JLM 20060212 14:16 L4 R4 70

 Computing a single characteristic

• The first and most important

differential is (L’,0) ! (L’,0),
p=1.
• Another is (L’,0x60000000) !
Lin’ Rin’
(L’ ∆0x00808200,0x60000000),
p=1/4.
• Construction: A’ a’ p
– E(0x60000000)= E(0110 0000 ∆ F
… 0000)= 001100 000000 …
000000
– S1(001100)’ ! 0xe with p=1/4,
Sj(0)’ ! 0 with p=1, j>1 and
P(0xe0000000)=0x00808200. Lout’ Rout’

JLM 20060212 14:16 71

 Multi-round Characteristics
• Sequence of Differentials with
identified input and output
xors. Each round differential WP= 00 80 82 00 60 00 00 00
occurs with probability pi.
• Overall probability: p=P pi
• Characteristic to the right is a A’= 00 80 82 00 a’= 60 00 00 00 p = 14/64
three round characteristic with ∆ F
probability (14/64)2
• Used to approximate
B’= 0 b’= 0
differentials through multiple p=1
rounds. ∆ F
• Each pair following the
characteristic at each round is C’= 00 80 82 00 c’= 60 00 00 00
called a “right pair”. Other ∆ F p = 14/64
pairs are “wrong pairs.”
• Wrong pairs get distributed
uniformly; right pairs follow
overall characteristic
probability. WC= 00 80 82 00 60 00 00 00
JLM 20060212 14:16 72
 Three Round Characteristic

40 08 00 00, 40 00 00 00
• This characteristic occurs with
probability p=1/16 and forms
an estimate for the differential ∆ F
input of the 4th round of the 6
rounds.
• (00 20 00 08 00 00 00 04) !
∆ F
(00 00 04 00 00 20 00 08)
with p=1/16 is another such
characteristic.
∆ F

40 08 00 00, 40 00 00 00
JLM 20060212 14:16 73
 Differential Cryptanalysis of 6 rounds
• Suppose (Li-1, Ri-1), ki are the inputs to round i. PL= L0, PR= R0.
• L6= R4 ∆ f(k6, R6)= L3 ∆ f(k6, R6) ∆ f(k4, R3)
• L6’= L3’ ∆ f(k6, R6) ∆ f(k6, R6*) ∆ f(k4, R3) ∆ f(k4, R3*)
• L6’ = CL and R6 =CR are known.
• Estimate L3’ = 40000000, R3’ = 40080000, using the differential.
• Set S= P-1(CL ∆ 40000000)= f(k6, CR) ∆ f(k6, CR *) ∆ f(k4, R3) ∆ f(k3, R3*)=
S1(E1) || S2(E2) || … || S8(E8) where E1|| E2|| … || E8 are the bits obtained
by applying E to 40080000.
• E1|| E2|| … || E8 =00100000000000000101000..0=
08||00||01||10||00||00||00||00.
• Since the input Xors to S2,S5,S6,S7,S8 are 0, f(k4, R3) ∆ f(k4, R3*) is 0 in
the corresponding output bit positions and we are left with the simple
differential: P-1(CL ∆ 40000000)= f(k6, CR) ∆ f(k6, CR *) for S2,S5,S6,S7,S8.

JLM 20060212 14:16 74

 Differential Cryptanalysis of 6 rounds

• First characteristic yields 30 bits of key. Second one adds

another 12 bits of key.
• Recall P-1(CL ∆ 40000000)= f(k6, CR) ∆ f(k6, CR *)
for S2,S5,S6,S7,S8
• This occurs with p= 1/16.
• Straightforward implementation yielding 30 keybits:
– Set up 230 counters
– Bump counter for suggested key for each pair of n chosen texts
– Correct key be will “voted” at least 1/16 n time (“right pairs”)
– Incorrect keys will be voted randomly each with probability 1/230

JLM 20060212 14:16 75

 Differential Cryptanalysis of 6 rounds

• Improving the “signal to noise” ratio by “filtering” pairs

– For each of S2, S5, S6, S7, S8 with input xor x’ and output xor y’,
look at x ∆ Dj(x’,y’).
– If this is empty, this must be wrong pair.
– For any given S box the, this happens with probability .2.
– The probability that all 5 S boxes have non-empty candidate key
sets is (.8)5=.33. Call this set of pairs RP and the complement
WP.
– RP contains 1/3 of the pairs, WP contains 2/3
– In RP, the probability of a “correct vote” is 3/16

JLM 20060212 14:16 76

 Algebraic Attacks

• As we’ve seen, ciphertext can be expressed as algebraic function of

keys and plaintext (Lagrange Interpolation Theorem).
• Sometimes key bits are expressible as functions of plain and cipher
texts
• These are easy to solve if the equations are linear even for very large
key spaces.
• These are very hard to solve if the equations are even quadratic (NP-
hard in fact, see “General System of Quadratic Equations” slide).
• General problem is “Find one solution of a system of m equations in n
variables of bounded degree, D, over K (usually finite):
Σ b ab x b + ci = 0, x b = x1b1 x2b2 ... Xnbn, Σ i bi c D
• We refer to this problem as SolveAlgebraic(K,D,m,n) and often
abbreviate equations as lj(x)= 0.

JLM 20060212 14:16 77

 Solving SolveAlgebraic(K,D,m,n)

• Classic Technique is Grobner Basis, see

– Lauritzen, Concrete Abstract Algebra. Cambridge.
– Cox, Little, O’Shea, Using Algebraic Geometry. Springer.
• Grobner uses Buchberger’s Algorithm which is doubly exponential time
in the worst case since the monomial grow very rapidly and singly
exponential time on average.
• This is not practical for n>15.
• However, we can do better with an overdefined set of equations (m>n).
• Note first that if we pick m random equations m>n they will likely be
inconsistent.
• Let’s see how we might solve overdetermined systems by solving them
as we do linear equations after we prove that solving even quadratic
systems of equations is NP hard.

JLM 20060212 14:16 78

 SHA-0 Strategy (Chabaud and Joux)

• Basic idea is to look for small differences that can be

tracked through rounds like differential cryptanalysis.
• Consider three approximations to the SHA-0 compression
function.
– SHI-1
• Use Xor instead of Add
• Make f(i) linear
– SHI-2
• Use Xor instead of Add
• Restore f(i) to original values
– SHI-3
• Restore Add
• Make f(i) linear

JLM 20060212 14:16 79

 SHI-1 Finding Collisions

• Assume the W(i) are unrelated and follow progress of a change to W(1).

A B C D E

1 W1+ROL5(A)+f(B,C,D)+ A ROL30(B) C D
E+K
2 W2+ …
3 ROL30(-)
4
5 ROL30(W1+ROL5(A)+
f(B,C,D)+E+K)

6 W6+ … - fixes W1
perturbation
JLM 20060212 14:16 80
 SHI-1 Error Propagation in Hash

Perturbation Corrections defining

On bit 1 masks

D W1(i) W6(i+1) W1(i+2) W31(i+3) W31(i+4) W31(i+5)

State
A(i) A1(i) A(i+1) A(i+2) A(i+3) A(i+4) A(i+5)
B(i) B31(i+1) B(i+5)
C(i) C31(i+2) C(i+5)
D(i) D31(i+3) D(i+5)
E(i) E31(i+4) E(i+5)

JLM 20060212 14:16 81

 Message Expansion

• Process of expanding from 16 32 bit words to 80 32 bit words in the

compression function is called message expansion
– MD5
• Permutations
– SHA-0
• Linear code (LFSR)
– SHA-1
• Linear code with rotation
• Has profound effect on possible disturbance vectors in Differential
attacks
• Being studied to provide greater protection
• Replace xor with modular addition to prevent codeword difference
propagation
• Conditions on chaining variables for local collision (Prob between 2-39
and 2-42)
JLM 20060212 14:16 82
 End

JLM 20060212 14:16 83